Answer the question
In order to leave comments, you need to log in
How to change domain password via VPN?
Available:
1. Domain with AD, groups and users.
2. Gateway based on Kerio.
3. VPN
4. Remote domain users.
It is necessary to implement the ability for remote domain users to change their domain password on their own.
I also raised a separate virtual machine on Win7, drove it into the domain so that remoters could connect to it under their domain accounts and change the password. But, not everything is so simple...
A remote employee establishes a VPN connection with authorization using his domain login:password, if at the time the connection is established in his account there is a checkmark "Require password change at next login", then authorization fails.
If you do not require a password change in this way, but force, after establishing a VPN connection, to open RDP to the virtual machine and change the password there, then at the time of changing the password on an ongoing basis, we get an error that the password does not meet the requirements of the password policy or has already been used before. Which is not true, because I checked it by creating a new user, and with a password that matches the requirements of the policy, I couldn’t make a mistake either.
Actually, how else can you change the password for domain users?
Z.Y. The option to change via RDP (without VPN) with port forwarding on the gateway works, but I don’t want to use this option on an ongoing basis, because. This is clearly a security hole.
Answer the question
In order to leave comments, you need to log in
The only true and acceptable option, as it turned out, is to install RD Web Access Web
I know two options (either / or):
1. Use a Windows VPN from roles, when connected, it itself offers to change the password if there is a bird about a forced change.
2. Leave it as it is and start users immediately by providing complex and long passwords. If the user wants to change it, he can do it in the RDP session by pressing ctrl+alt+insert. But, from experience, remoters do not like to change their passwords, which is why you need to enter normal ones without a forced change
PS:
I myself use the second option, since the lion's share of external services and AD is needed only for authentication in these services.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question